Belgian Watchdog Blasts Facebook For Treating User Data “With Contempt”

Belgium’s privacy watchdog today accused Facebook of violating European and Belgian privacy laws by tracking people online without their consent, and said it would take legal action if Facebook refuses to obey its recommendations.

The commission said Facebook treats the personal data of Internet users “with contempt,” and that the company has been uncooperative with regulators investigating its privacy practices.

“The way in which [Facebook] is contemptuous of the private lives of its members and of all Internet users demands action,” Willem Debeuckelaere, the commission’s president, said in the Wall Street Journal. “It’s make or break time” for Facebook, he said.

The Belgian Privacy Commission — the CPVP/CBPL — based its accusations on an academic study it commissioned investigating Facebook’s data collection and privacy practices.

At issue is Facebook’s use of “like” and “share” buttons on 13 million third-party websites in the EU, collecting data from visitors to those sites that could be used to serve targeted advertising. Such tracking is “intrusive,” the commission said, adding that Facebook is “in a unique position, since it can easily link its users’ surfing behavior to their real identity, social network interactions and sensitive data such as medical information and religious, sexual and political preferences.”

The regulator also said Facebook has been tracking visitors to pages on Facebook.com that don’t require signing into the network. European law requires, the report said, that Facebook receive explicit consent from users before any such tracking. Among the other recommendations from the commission as reported by The Guardian:

The data protection authority recommends that website owners using Facebook’s social plugins implement a two-stage click-through process so that users not wanting to interact with Facebook are not exposed to the service.

It also requests that Facebook alter the design of its plugins so that the mere presence of a social plug-in on an external website does not lead to the transmission of data to Facebook.

Users are also advised to adopt the use of privacy-guarding software, such as Privacy Badger, Ghostery or Disconnect browser extensions.

Facebook has denied wrongdoing and is disputing whether the Belgian regulator, the CBPL, has jurisdiction, since the company’s European operation is based in Ireland. Under EU law, companies that conform to laws in one member state can operate in other countries in the union. But the Belgian commission argues that it has regulatory authority because Facebook has an office in Belgium.

A Facebook spokesman told the Guardian: “As we expressed to the CBPL in person when we met, there is nothing more important to us than the privacy of our users and we work hard to make sure people have control over what they share and with whom. Facebook is already regulated in Europe and complies with European data protection law, so the applicability of the CBPL’s efforts are unclear. But we will of course review the recommendations when we receive them with our European regulator, the Irish Data Protection Commissioner.”

This action comes amidst increased scrutiny of the data practices of U.S. tech firms in Europe. Facebook practices are also being probed Dutch data protection authority and an EU data protection working party. The company is also facing a class action privacy suit in Vienna.

Facebook has argued that the competing legal and regulatory fronts pose risks to online business in Europe. Stephen Deadman, a Facebook privacy executive, said Facebook is big enough to handle regulatory and legal complications, but smaller firms will be hurt. In a in a blog post Thursday, he wrote:

---

---

For companies of our size and scale, we can manage this complexity, even if it means delaying or not launching services in particular markets. But for smaller businesses and startups, it represents a major barrier to even getting off the ground: a huge setback for Europe’s digital ambitions. Even mid-size, growing European tech companies, many of whom have also established in a single member state for data protection purposes, would see a significant impact on their ability to serve consumers throughout the EU.